Understanding Singapore Personal Data Protection Act

To ensure no personal data is misused, exploited, or infiltrated during processing, almost all countries worldwide impose data protection regulations on businesses. Singapore’s response to the increasing need for data protection and regulation is the Personal Data Protection Act (PDPA). Enacted in 2012, PDPA is the benchmark for data protection in the country, and it details the conditions to be met while collecting, using, or disclosing personal data within Singapore.

In this article, we will have a deep dive into PDPA.

What is PDPA, Singapore

Singapore’s Personal Data protection Act is a data protection act that regulates the collection, use, and disclosure of personal data of the citizens of the country by any private organisation, including those that are located outside of Singapore.

All organisations, regardless of location, should comply with the Singapore PDPA obligation if they collect, use, or disclose data of individuals within the country. With data, PDPA indicates both electronic and non-electronic personal data of individuals, highlighting the comprehensive approach Singapore has taken to protect customer data.

The Personal Data Protection Commission (PDPC) – a statutory body in Singapore – is responsible for enforcing and administering the data protection provisions of the Act. 

Data Protection Authority (DPA) is responsible for overseeing if the Act is enforced correctly in the country by exercising a range of powers – conducting an investigation, ceasing orders, destructing data if required, imposing financial sanctions, penalties, and fines on organisations violating obligations or failing to demonstrate DPDA compliance. PDPA, Singapore came into effect on July 2, 2014.

Imposed upon organisations holding customers’ personal data, PDPA, Singapore recognises the right of individuals as well as the organisational need for transparent data processing. By enforcing this Act, PDpc aims to elevate the country’s economic stature for improved competencies by “increasing consumer trust and strengthening Singapore’s position as a trusted global data hub.” 

Please note that PDPA primarily focuses on information management, as per Article 3 which defines the Act.

Key Obligations of PDPA, Singapore

The PDPA revolves around certain key obligations briefly described here:

• Consent Obligation – Organisations are mandated to seek the consent of individuals before collecting, using, or disclosing their personal data, as detailed in Section 13, PDPA. This consent should be given freely and voluntarily. Individuals should be well-informed about the purpose of collecting, using or disclosing their p[personal data. These actions should immediately cease if the data owner withdraws their consent.
• Purpose Limitation Obligation – As per Section 18, Any activity related to collecting, using, or disclosing individuals’ personal data should be carried out only for the purpose detailed to the data owner.
• Notification Obligation – Section 20, of PDPA mandates organisations to inform users of the purpose behind collecting, using, or disclosing their personal data.
• Access and Correction Obligation – PDPA empowers individuals with the right to access and edit/modify or delete their personal data from the organisation’s database, as detailed in sections 21 and 22. Sections 21 and 22 of the PDPA provide that individuals have the right to request from the organization access and correction of their personal data.
• Accuracy Obligation – According to Section 23, PDPA, organisations holding user data must implement necessary measures to ensure they collect accurate, consistent, and complete data, especially when it’s collected for decision-making or disclosed to another organisation for a legitimate purpose.
• Protection Obligation—According to Section 24, Organisations are accountable for protecting user data they hold by implementing robust security measures. This is to avoid unauthorised access, use, collection, and disclosure of personal data.
• Retention Limitation Obligation – Organisations are obligated to cease retaining any document with records of personal data if the purpose of data retention is no longer applicable as per Section 25 of the Act.
• Transfer Limitation Obligation – With this, Section 26, PDPA limits an organisation’s capability to transfer personal data they hold outside the country. Data transfer can be done only if the organisation can ensure the same level of stringency will be ensured over personal data during and after the transfer, as per section 26(1).
• Openness Obligation – Proper steps and policies should be implemented by organisations to comply with PDPA standards.

In addition to these obligations, organisations are obligated to recruit a dedicated Data Protection Officer (DPO) to oversee if all activities related to personal data management by that organisation comply with PDPA standards. That said, any breach of PDPA provisions can cause businesses to face hefty repercussions such as a fine of up to SGD 1 million or 10% of that company’s annual turnover, whichever is higher.

PDPA Rights to Individuals

PDPA empowers individuals with the following rights:

• Right to Access: Individuals hold the right to request access to their personal data managed by an organisation. The request should be responded to at the earliest possible. The requested data should include its usage, or disclosure history over the past year.
• Right to Correction: PDPA allows individuals to ask for amendments to their personal data if they find any discrepancies or errors.
• Right to Withdraw Consent: PDPA empowers individuals with the right to withdraw their already given consent to collecting, using, and disclosing their data – at any time. That said, organisations must inform individuals about the repercussions of such consent withdrawal.
• Right to Accuracy: As already stated in the previous section, organisations are mandated to ensure only accurate and complete data is collected. Ensuring data accuracy is critical especially when it’s used for decision-making purposes affecting individuals or is disclosed to a third-party organisation.  
• Right to Protection: To reiterate, individuals should be rest assured that all essential measures are in action to keep their personal data out of reach of hackers.
• Right of Private Action: For any loss or damage caused by an organisation violating PDPA provisions, individuals hold the right to ask for compensation.
• Right to be Informed: It’s the right of individuals to be inside the loop and be well aware of the purpose of collecting, using, or disclosing their personal data. They can also request the contact information of the designated person responsible for responding to their queries about their personal data.

In addition, PDPA restricts businesses from calling or sending messages for marketing purposes to Singapore telephone numbers registered with the Do Not Call registry (DNC registry). Calling or sending messages to DNC registered numbers without prior checking is considered a violation of the Act, thereby an act of non-compliance. They can be charged a fine of up to US$10,000 per message sent. Came into effect on 2 January 2014, the DNC register already includes more than 600,000 phone numbers registered.

Data Breaches and Enforcement: What Happens When Things Go Wrong?

In case a data breach occurs, organisations operating under the jurisdiction of Singapore’s Personal Data Protection Act (PDPA)  are mandated to assess the situation in no time. The assessment helps determine if it’s a notifiable data breach, the type of the breached data, and its impact on the company and individuals. If it poses any security risk to the data owners of the breached data, the organisation, with no undue delay (within three calendar days after the day of assessment), should notify them and the PDPC.

Singapore PDPA defines a”notifiable data breach” as one that:

1. can significantly affect individuals whose data has been breached
2. Are of a significant scale, affecting 500 or more individuals

While notifying the PDPC, the impact, extent, likely consequences, and the actions to be taken to mitigate the risks should be included.

Once the impacts are mitigated, organisations must conduct a thorough investigation to prevent further escalation and avoid such occurrences.

Amendments and Updates

The Personal Data Protection (Amendment) Act 2020, which amends the PDPA 2012 was revised and amended in 2020 and came into effect from February 1, 2021, and in phases. Since it was first put into action in 2014, the recent amendments are considered to be the most significant.

The amendments include:

• Mandatory Data Breach Notification: Organisations are mandated to notify both the affected individual and PDPC of a “notifiable data breach”.
• Expanded Scope of Deemed Consent: with this amendment, PDPA allows organisations to use personal data even if they don’t have direct consent from the data holders. This expansion of deemed consent also holds good when an organisation has informed individuals about how their data will be used and the individuals do not opt out, thus making it easy for organisations to use personal data under certain conditions.
• Exceptions to Express Consent: According to this amendment, organisations no longer need explicit consent from data holders to use their data for a legitimate purpose that outweighs any effects on individuals
• Personal Liability for Mishandling of Personal Data: As already stated, any misuse or mishandling of personal data is an act of penalisation of up to SGD 5,000. Furthermore, unauthorised disclosure of personal data or reidentification of anonymized data can lead to imprisonment.
• Increase in Financial Penalty Cap: Earlier, the maximum financial penalty for a breach of provision was SGD 1 million which has now been increased to 10% of the company’s annual turnover or SGD 1 million, whichever is higher.
• Data Portability Obligation (Upcoming): This upcoming amendment obligates organisations to transfer data to another organisation if asked. This obligation will facilitate collaboration, improve customer autonomy, and intensify competition.

Implications for the Healthcare Sector: PDPA, Singapore now mandates healthcare providers in the country to have thought out data breach response plans in action.

• Author
• Recent Posts

Thomas Lambert

Senior Data Protection Consultant at PDTN

Thomas Lambert is a seasoned expert and thought leader in the field of personal data protection, serving as the lead writer at PDTN. With a rich background in cybersecurity and data privacy law, Thomas brings a wealth of knowledge and a unique perspective to the complex and ever-evolving world of data protection.

Latest posts by Thomas Lambert (see all)

• Real-Time Fracture Monitoring: Using Fiber Optic DAS to Improve Stimulation Efficiency - January 30, 2026
• Smart Factory Production Networks: Connected Manufacturing Today - November 22, 2025
• IVR Testing Best Practices for Enhanced Voice Automation Quality - October 19, 2025